1. Field of the Invention
The present invention relates to security for data transmission/reception via a network and, more particularly, to a technique of controlling an IP packet size to prevent IP fragmentation in communication using IPsec.
2. Description of the Related Art
In recent years, there has been an increasing demand for security on a network, especially for security using encrypted communication. There are some protocols as security protocols. Among them, IPsec (IP Security Protocol) includes a mechanism for authenticating a transmission source and assurance of data integrity by the AH (Authentication Header) protocol. In addition, IPsec includes a mechanism of assuring the confidentiality of an IP packet, security assurance, and authentication of a transmission source by the ESP (Encapsulating Security Payload) protocol. Since IPsec is a security protocol implemented at the IP level (the network layer in the open systems interconnection (OSI) reference model), AH processing and ESP processing are executed for each IP packet. IPsec technology is defined in RFC2401, RFC2402, RFC2406, and the like.
In communication using IPs, an MTU (Maximum Transmission Unit) is defined as a maximum data amount which can be transmitted in one transfer operation. To transmit an IP packet, the amount of which exceeds the MTU, the IP packet undergoes IP fragmentation and is then transmitted. As a technique of preventing IP fragmentation, PMTU (Path MTU Discovery) is defined in RFC1191 and RFC1981.
Japanese Patent Laid-Open No. 2006-165847 discloses a technique of optimizing the packet length of a communication packet using IPsec by maximizing it within the range of PMTU.
The size of an IP packet after IPsec application increases due to the ESP processing or AH processing, as compared with the IP packet size before IPsec application. If, therefore, the IP packet size before IPsec application is close to the MTU, the IP packet is fragmented. Since the fragmentation of the IP packet includes IP packet division processing on the transmission side and IP packet reconstruction processing on the reception side, the communication speed decreases.
To prevent an IP packet after IPsec application from being fragmented, it is possible to make the MTU value small by PMTU. However, PMTU uses an ICMP packet, so the IP packet may be discarded in a firewall. In addition, an IP packet size increment due to IPsec application is not strictly considered, and thus an IP packet after IPsec application may be fragmented. Even if the MTU value is changed to a value which prevents an IP packet from being fragmented, it is not ensured that the size of an IP packet is maximized within the range in which the IP packet is not fragmented. Since, therefore, an IP packet is not fragmented but the MTU value is small, the size of the IP packet becomes small, thereby decreasing the communication speed.